That seems to be because perl sees the 'e' in 'foo e eval...' as an -e command line switch. Change it to something else besides 'e' and the behavior changes.

It sort of feels like the same sort of exploit one should worry about when using the two-arg open unsafely, passing user data to a database without placeholders, or instantiating user data as variable names.

Right that is obviously what is doing, but is that safe for Perl and not the shell to break apart an argument on spaces? This seems dangerous. You now need to sanitize your backup-character-extensions for space characters because perl may otherwise execute it as code?

I think you found a real bug. And, sure, there are security implications. Theoretically, anyway. There are probably not that many places where this poses a real security threat. There's more potential for it to cause things to break and leave people scratching their heads though.